Skip to content

Commit 192e314

Browse files
committed
fix: Auto rotate token should be between DefaultAutoRotateBeforeMinTTL and DefaultAutoRotateBeforeMaxTTL
1 parent 2d9fdcc commit 192e314

File tree

3 files changed

+47
-17
lines changed

3 files changed

+47
-17
lines changed

defs.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,10 @@ var (
1515

1616
const (
1717
DefaultConfigFieldAccessTokenMaxTTL = 7 * 24 * time.Hour
18-
DefaultConfigFieldAccessTokenRotate = 2 * 24 * time.Hour
18+
DefaultConfigFieldAccessTokenRotate = DefaultAutoRotateBeforeMinTTL
1919
DefaultRoleFieldAccessTokenMaxTTL = 24 * time.Hour
2020
DefaultAccessTokenMinTTL = 24 * time.Hour
2121
DefaultAccessTokenMaxPossibleTTL = 365 * 24 * time.Hour
22-
DefaultAutoRotateBeforeMinFraction = 0.1
23-
DefaultAutoRotateBeforeMaxFraction = 0.5
22+
DefaultAutoRotateBeforeMinTTL = 24 * time.Hour
23+
DefaultAutoRotateBeforeMaxTTL = 730 * time.Hour
2424
)

path_config.go

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -49,14 +49,14 @@ var (
4949
"revoke_auto_rotated_token": {
5050
Type: framework.TypeBool,
5151
Default: false,
52-
Description: `Should we revoke the autorotated token after a new one has been generated?`,
52+
Description: `Should we revoke the auto-rotated token after a new one has been generated?`,
5353
DisplayAttrs: &framework.DisplayAttributes{
5454
Name: "Revoke auto rotated token",
5555
},
5656
},
5757
"auto_rotate_before": {
5858
Type: framework.TypeDurationSecond,
59-
Description: `How much time should be remaining on the token validity before we should rotate it?`,
59+
Description: `How much time should be remaining on the token validity before we should rotate it? Minimum can be set to 24h and maximum to 730h`,
6060
Default: DefaultConfigFieldAccessTokenRotate,
6161
DisplayAttrs: &framework.DisplayAttributes{
6262
Name: "Auto rotate before",
@@ -145,16 +145,16 @@ func (b *Backend) pathConfigWrite(ctx context.Context, req *logical.Request, dat
145145

146146
if autoTokenRotateTtlOk {
147147
atr, _ := convertToInt(autoTokenRotateRaw)
148-
if atr > int(config.MaxTTL.Seconds()*DefaultAutoRotateBeforeMaxFraction) {
149-
err = multierror.Append(err, fmt.Errorf("auto_rotate_token can not be bigger than %d%% (max: %s) of %s: %w", int(DefaultAutoRotateBeforeMaxFraction*100), time.Duration(config.MaxTTL.Seconds()*DefaultAutoRotateBeforeMaxFraction)*time.Second, config.MaxTTL.String(), ErrInvalidValue))
150-
} else if atr <= int(config.MaxTTL.Seconds()*DefaultAutoRotateBeforeMinFraction) {
151-
err = multierror.Append(err, fmt.Errorf("auto_rotate_token can not be less than %d%% (max: %s) of %s: %w", int(DefaultAutoRotateBeforeMinFraction*100), time.Duration(config.MaxTTL.Seconds()*DefaultAutoRotateBeforeMinFraction)*time.Second, config.MaxTTL.String(), ErrInvalidValue))
148+
if atr > int(DefaultAutoRotateBeforeMaxTTL.Seconds()) {
149+
err = multierror.Append(err, fmt.Errorf("auto_rotate_token can not be bigger than %s: %w", DefaultAutoRotateBeforeMaxTTL, ErrInvalidValue))
150+
} else if atr <= int(DefaultAutoRotateBeforeMinTTL.Seconds()) {
151+
err = multierror.Append(err, fmt.Errorf("auto_rotate_token can not be less than %s: %w", DefaultAutoRotateBeforeMinTTL, ErrInvalidValue))
152152
} else {
153153
config.AutoRotateBefore = time.Duration(atr) * time.Second
154154
}
155155
} else {
156-
config.AutoRotateBefore = time.Duration(config.MaxTTL.Seconds()*DefaultAutoRotateBeforeMinFraction) * time.Second
157-
warnings = append(warnings, fmt.Sprintf("auto_rotate_token not specified setting to %v (%d%% of %s)", config.AutoRotateBefore.String(), int(DefaultAutoRotateBeforeMinFraction*100), config.MaxTTL.String()))
156+
config.AutoRotateBefore = DefaultAutoRotateBeforeMinTTL
157+
warnings = append(warnings, fmt.Sprintf("auto_rotate_token not specified setting to %s", DefaultAutoRotateBeforeMinTTL))
158158
}
159159

160160
if err != nil {

path_config_token_autorotate_test.go

Lines changed: 36 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -52,12 +52,44 @@ func TestPathConfig_AutoRotate(t *testing.T) {
5252
Data: map[string]interface{}{
5353
"token": "super-secret-token",
5454
"max_ttl": "48h",
55-
"auto_rotate_before": "48h",
55+
"auto_rotate_before": (gitlab.DefaultAutoRotateBeforeMaxTTL + time.Hour).String(),
5656
},
5757
})
58-
require.Error(t, err)
58+
require.ErrorIs(t, err, gitlab.ErrInvalidValue)
5959
require.Nil(t, resp)
60+
})
61+
62+
t.Run("auto_rotate_before should be set to correct value", func(t *testing.T) {
63+
b, l, err := getBackend()
64+
require.NoError(t, err)
65+
resp, err := b.HandleRequest(context.Background(), &logical.Request{
66+
Operation: logical.UpdateOperation,
67+
Path: gitlab.PathConfigStorage, Storage: l,
68+
Data: map[string]interface{}{
69+
"token": "super-secret-token",
70+
"max_ttl": "48h",
71+
"auto_rotate_before": "48h",
72+
},
73+
})
74+
require.NoError(t, err)
75+
require.NotNil(t, resp)
76+
require.EqualValues(t, "48h0m0s", resp.Data["auto_rotate_before"])
77+
})
78+
79+
t.Run("auto_rotate_before should be more than the minimal limit", func(t *testing.T) {
80+
b, l, err := getBackend()
81+
require.NoError(t, err)
82+
resp, err := b.HandleRequest(context.Background(), &logical.Request{
83+
Operation: logical.UpdateOperation,
84+
Path: gitlab.PathConfigStorage, Storage: l,
85+
Data: map[string]interface{}{
86+
"token": "super-secret-token",
87+
"max_ttl": "48h",
88+
"auto_rotate_before": (gitlab.DefaultAutoRotateBeforeMinTTL - time.Hour).String(),
89+
},
90+
})
6091
require.ErrorIs(t, err, gitlab.ErrInvalidValue)
92+
require.Nil(t, resp)
6193
})
6294

6395
t.Run("auto_rotate_before should be set to min if not specified", func(t *testing.T) {
@@ -88,10 +120,8 @@ func TestPathConfig_AutoRotate(t *testing.T) {
88120
"auto_rotate_before": "10h",
89121
},
90122
})
91-
require.NoError(t, err)
92-
require.NotNil(t, resp)
93-
assert.NotEmpty(t, resp.Data["auto_rotate_before"])
94-
assert.EqualValues(t, "10h0m0s", resp.Data["auto_rotate_before"])
123+
require.ErrorIs(t, err, gitlab.ErrInvalidValue)
124+
require.Nil(t, resp)
95125
})
96126
}
97127

0 commit comments

Comments
 (0)